Identity, trust and OpenID

I recently wrote about OpenID on my journal, and I left kind of an overwhelming positive attitude simmering around the post. I still think you should read it or something authoritative on what OpenID is if you don’t know what it is. No, I don’t think OpenID is a silver bullet that will cure all identity and trust evilness on the web. OpenID itself once was presented as being about identity, not trust on the grounds of trust requiring identity. I don’t think OpenID goes very far towards machine readable identity, but it does go towards human readable identity.

Identifying as an URL instead of with a nickname and a password isn’t that much of an improvement. It proves you have access to some kind of an account giving you an ability to deploy web pages, and a pipeline to an OpenID server that accept you as a user. Since you can host your own OpenID server and web space is cheap (as in free) – this isn’t very comforting. Any service allowing users to authenticate comments with nothing else than an OpenID will find themselves swarmed with spam in no time.

This is known, and will be handled by making use of conventional spam filtering, captcha’s, requirement of creating an account (by OpenID identification) instead of anonymous submission (with OpenID signatures) and other means.

In addition someone will try (or have, what do I know?) white- and/or blacklisting. This might or might not totally destroy what OpenID is all about. As I see it. Blacklisting will probably work, but doing it will be walking on the edge. Blacklisting each individual account will be wasted resources. Each account is just one URL, and spammers can generate one for each comment and never run dry, even if they change the actual account. Delegation would probably be used, so you would need to keep lists on the endpoints as well. Blacklisting domains could be done, but it would require a bit of finesse or human intervention. Spammers manage to get hold of legitimate accounts, or accounts on legitimate hosts… one wrong step and you’d blocked a legitimate, and possibly popular, provider.

White listing would be impossible to do without wrecking it all. One of the cornerstones of OpenID is that you can set up your own provider, but if it was blocked by all from the start… Ok, that wouldn’t do, would it.

Where OpenID will, and do, work is between humans. If I write something, say in a WordPress blog… Incidentally I do… and start signing (in and by) as the URL of this blog, then people will know that I wrote the [whatever] I signed, and they can look up where I keep my identity and see what I am about. And what I write. That I am (most likely) a human being. This will lead to trust.

Only thing missing is spammers making sure their comments seem genuine, and lead readers on a click-through chase to a spam/ad page by way of the OpenID URL… Oh, well. Hope they don’t get that idea from me.